Python Poison - Python open source library get hits with backdoors and malware

From Poison packages – “Supply Chain Risks” user hits Python community with 4000 fake modules

The ease with which trusting users download and install new Python (and Node.js, and Ruby, etc.) components has led to a range of cybercriminal attacks against package managers.

Crooks sometimes Trojanise the repository of a legitimate project, typically by guessing or cracking the password of a package owner’s account, or by helpfully but dishonestly offering to “assist” with a project that the original owner no longer has time to look after.

Once the fake version is uploaded to the genuine repository, users of the now-hacked package automatically get infected as soon as they update to the new version, which works just as it did before, except that it includes hidden malware for the crooks to exploit.

Another trick involves creating Trojanised public versions of private packages that the attacker knows are used internally by a software company.

The public version of the package is given a higher version number that the internal version, and if the company hasn’t secured its auto-updating processes correctly, the attacker may be able to trick a company’s whole development team, or even the organisation’s official software build system, into updating private code from an untrusted (and malicious) external source.

Cybersecurity researcher Alex Birsan famously made well over $100,000 in bug bounties recently by feeding external versions of supposedly internal software packages into dozens of IT giants including Apple, PayPal, Microsoft and Shopify.

This sort of trick is known as a supply chain attack, for obvious reasons.

This is same attack that happened to Microsoft with Solarwinds.

.NET Conf 2021 - Focus on Windows Desktop Development Videos now available

 .NET Conf Videos Now available - .NET Conf: Focus on Windows - YouTube

.NET Conf  2021 has a  focus on Windows is a free, one-day livestream event that features speakers from the community and Microsoft teams working on Windows desktop apps and making them fantastic on the latest .NET 5.

Microsoft has released CodeQL with sample queries to sniff out malware

Microsoft open sources CodeQL queries used to hunt for Solorigate activity - Microsoft Security

Based on LGTM - Continuous security analysis open-source solution Microsoft has created CodeQL with sample queries to sniff out malware.

CodeQL is a powerful semantic code analysis engine that is now part of GitHub. Unlike many analysis solutions, it works in two distinct stages. First, as part of the compilation of source code into binaries, CodeQL builds a database that captures the model of the compiling code. For interpreted languages, it parses the source and builds its own abstract syntax tree model, as there is no compiler. Second, once constructed, this database can be queried repeatedly like any other database. The CodeQL language is purpose-built to enable the easy selection of complex code conditions from the database.

I posted the following question: 

How would you list methods not in a try-catch clause?

var fi2 = new FileInfo(path2);

How to list methods not wrapped in Using statement?

StreamWriter sw = new StreamWriter("hello.txt")

Answer

I'm assuming this is in C#. Something like this should work to find method calls not lexically contained by a try-catch.

import csharp

predicate inTryCatch(MethodCall mc) {
  exists(TryStmt ts | ts = mc.getParent*())
    or exists(CatchClause cc | cc = mc.getParent*())
}

from MethodCall mc
where not inTryCatch(mc)
select mc

Of course, this only finds method calls lexically enclosed. Are you looking for method calls that are part of a data flow that is not in a try-catch block? For that you will need to use data-flow analysis.